RSA Conference 2012 post-mortem: IT security in a "precarious spot"

There was an unusual level of gloom at the RSA Conference this year, and for good reason: a number of the biggest and most respected security firms have been very recently breached, including RSA Security, VeriSign, and Symantec.

This wasn't the first year the IT security industry was embarrassed. Last year, HB Gary Federal was breached and that event consumed a considerable amount of talk at the show. That's not to forget the recent big name breaches at organizations such as Google, the U.S. Department of State and Nasdaq in recent years.

"There is a feeling that no matter what steps one takes, it can't be won. Systems can't be kept adequately secured," said a security executive at an international electronics manufacturer.

Whitfield Diffie, one of the pioneers of public-key cryptography would disagree. When speaking during The Cryptographers' Panel keynote at the 2012 RSA Conference about the breach at the U.S. Dept. of State in which U.S. Army soldier Bradley Manning allegedly passed classified data to the whistleblower site WikiLeaks, Diffie noted that many of the security controls worked, and for the breach to occur it required a trusted insider to conduct it.

He also noted that security's "failings" may be about perception. "Security moves from one failure to the next, while if you are on offense it moves from one success to the next," Diffie said.

Stefan Savage, professor at the department of computer science and engineering, University of Calif., San Diego, observed that many of the perceived failures of IT security may be because the industry, largely, views security as a technical problem.

"There is a massive human component to security. While there are lots of technical things behind spam and botnets, there are people behind all of that, and then there are people who make mistakes that many times let them [spammers and botnets] through," said Savage.

Savage provided an example where focusing dependencies other than technical have yielded results. For years, the industry has focused on trying to block spam and malware and shut down the domains -- yet spam and botnets continued to thrive. "We eventually discovered that banking is the weak point and that taking down the merchant accounts can be far more effective than taking down domains that can be easily replaced by the criminals."

Savage also noted the never-ending nature of cyber-crime. "We don't have proofs for ending war and conflict, and putting the prefix 'cyber' in front of it doesn't change the dynamic," he said.

Michael McConnell, former director of the National Security Agency, said during the Cloud Security Alliance Summit that the industry may need increased regulation. He said the IT security industry is at an awkward stage similar to when the government wanted to force auto manufacturers to build seat-belts. Not everyone wanted the regulation. "We are at a similar time in safety and privacy concerns, and we have to address these issues. Industry is going to have to accept some level of regulations," he said.

"I think we're in a precarious spot," said the security analyst at a regional telecommunications firm. "We're neither winning nor losing." Business is still moving online and there's no stopping that. And organizations are getting hacked, for certain. But there are risks in everything we do every day. We just need to learn how to better manage and protect what were doing."

Read more about cloud security in CSOonline's Cloud Security section.

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleNational Security AgencyNSARSASymantecVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts